List,
This post is really for archival purposes in the event that someone
else is looking into centralized authentication with RSA SecurID and
FreeBSD (or any other *nix platform for that matter)..
The organization I currently work for has a large ($$$) investment in
RSA SecurID (for VPN use mainly) and like most technology deployments
around here it is not used to it's full capability. With the onset of
SOX and the like, password use/policy/management has become a rather
large headache. So for us, SecurID made sense (at least in theory):
centralized, one time passwords.
( Yes, I know there are other options for centralized Unix account
administration, but to this point we have only used local accounts and
some SecurID. And our goal was to leverage existing infrastructure. )
Our Unix environment, in a phrase: "you build it, we'll run it". So
it was off to RSA to see what agents/clients are currently available.
Now we've be running older versions, in a limited capacity, of the RSA
agents for some time (sdshell: a shell that requires SecurID
authentication), but the support is limited (HP-UX, Solaris, AIX).
Then I noticed an available PAM module, joy! But the joy was short
lived, it only supports Solaris and RHE Linux.
So, when all else fails you head to google... What I found was a lot
of people in the same boat (on various platforms). I found a few
possible solutions, but not anything I felt confident about. So back
to square one.
Then I remembered that our VPN environment uses SecurID, but via
RADIUS. Ahhh... Knowing that FreeBSD already had a RADIUS PAM
module, it was my first test platform (5.3). Once everything was
configured it worked like a charm. Now for the rest of the
environment... Linux: Not a Problem (most distros come with the
FreeRadius PAM module), Solaris: Used PAM module from FreeRadius,
HP-UX: Also used module from FreeRadius (it was a bear to get
compiled), AIX: Haven't gotten to this one yet, but I have my fingers
crossed ;-). Everything at this point appears to work well and the
best part is that the solution/setup is the same for all!
A 'very quick' overview of the configuration...
1 - A RSA ACE Server running and configured with RADIUS (currently
runs on Solaris/HP-UX and WIndows?)
2 - A client server with a Radius PAM Module
3 - Create a 'Shared Secret'.
4 - Configure the RSA ACE/RADIUS server and the client server with
'shared secret'. (PAM module uses /etc/radius.conf for 'shared
secret', servername, etc)
5 - Configure PAM/sshd (or whatever PAM aware services) to require
RADIUS authentication
6 - Configure your local users. (local username must be there SecurID username)
here are some links...
http://www.freeradius.org/http://www.freeradius.org/pam_radius_auth/http://www.faqs.org/rfcs/rfc2865.htmlhttp://www.rsasecurity.com/ (limited documentation here, it's all on
the install cd's)
... and of course various local manpages.
A quick note on security...
RADIUS is not the most secure protocol out there. As a matter a fact
data is hidden via a md5 hash. (more details:
http://www.faqs.org/rfcs/rfc2865.html ). But our feeling was since
it's SecurID and the generated passcode is only used one time, the
risk is acceptable/minimal! (better then a lame password any day ;-)
HTH
-jw